Don't allow root to login remotely. Instead, the admin could login as another account, then, "su -". However, root can still login "from the local terminal".

In the "/etc/ssh/sshd_config" file change the following lines:

Protocol 2 PermitRootLogin no PermitEmptyPasswords no

Then, restart ssh: /etc/init.d/sshd restart

Why would you want to do this? It's not possible for anyone to guess or keep trying the root account. This is especially good for computers on the Internet. So, even if the "root" passwords is known, they can't get access to the system remotely. Only from the terminal, which is locked in your computer room. However, if anyone has a account on the server, then, they can login under their account then "su -".

Suppose you only want a limited number of users: "user1" and "user2". Add the following line to "/etc/ssh/sshd_config". Note, this allows access for chirico and donkey, but everyone else is denied.